Hi again By specifying left/right subnet and id and also by use of ikev2 connections, the problem solved.
On Thu, Dec 13, 2012 at 1:17 PM, Ali Masoudi <[email protected]> wrote: > Hi all > > I want to connect to a system which strongswan is running on it. I > have to use L2TP tunnels and pseudo IPSEC roadwarrior tunnels. I > should explain that in roadwarrior connections, we know both subnets > so we can use them instead of not using the field. So here is my > configuration: > > ipsec.conf at 192.168.20.168: > > ######################################### > config setup > uniqueids="no" > strictcrlpolicy="no" > > conn %default > keyingtries="%forever" > leftsendcert="always" > > include /usr/local/etc/ipsec.l2tp.conf > > conn MyTun2 > authby="psk" > auto="add" > compress="no" > keyexchange="ikev1" > ike="aes256-md5-modp1536!" > ikelifetime="86400" > esp="aes256-md5-modp1536!" > keylife="86400" > left="192.168.20.168" > leftid="192.168.20.168" > leftsubnet="192.168.5.0/24" > rekeymargin="20" > right="%any" > rightid="tarigh-rw-170" > rightsubnet="192.168.150.0/24" > type="tunnel" > > ipsec.l2tp.conf: > ####################################### > conn L2TP > auto="add" > authby="psk" > type="tunnel" > left="192.168.20.168" > leftprotoport="17/1701" > right="%any" > rightprotoport="17/%any" > rekey="no" > keyingtries="5" > #leftfirewall="yes" > ike="aes256-sha1-modp2048!" > esp="aes-sha1!" > > //////////////////////////////////////////////////////////////////////////////////////////////////// > > ipsec.conf at 192.168.20.170 as RW: > ##################################################### > config setup > uniqueids="no" > strictcrlpolicy="no" > > conn %default > keyingtries="%forever" > leftsendcert="always" > > conn MyTun > authby="psk" > auto="start" > compress="no" > keyexchange="ikev1" > ike="aes256-md5-modp1536!" > ikelifetime="86400" > esp="aes256-md5-modp1536!" > keylife="86400" > left="192.168.20.170" > leftid="tarigh-rw-170" > leftsubnet="192.168.150.0/24" > rekeymargin="20" > right="192.168.20.168" > rightid="192.168.20.168" > rightsubnet="192.168.5.0/24" > type="tunnel" > > ////////////////////////////////////////////////////////////////////////////////////////////////////// > > > here is some part of the log on 192.168.20.168: > > 16:39 14[CFG] <1> looking for an ike config for > 192.168.20.168...192.168.20.170 > 16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170) > 16:39 14[CFG] <1> candidate: 192.168.20.168...%any, prio 5 > 16:39 14[CFG] <1> ike config match: 5 (192.168.20.168 192.168.20.170) > 16:39 14[CFG] <1> candidate: 192.168.20.168...%any, prio 5 > 16:39 14[CFG] <1> found matching ike config: 192.168.20.168...%any with prio 5 > 16:39 01[JOB] next event in 29s 999ms, waiting > 16:39 14[IKE] <1> received XAuth vendor ID > 16:39 14[IKE] <1> received NAT-T (RFC 3947) vendor ID > 16:39 14[IKE] <1> received DPD vendor ID > 16:39 14[IKE] <1> 192.168.20.170 is initiating a Main Mode IKE_SA > 16:39 14[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING > 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1 > 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1 > 16:39 14[DMN] <1> PAYA: get_alg_from_ikev1 > 16:39 14[DMN] <1> PAYA: get_proposals:IKE . > 16:39 14[CFG] <1> selecting proposal: > 16:39 14[CFG] <1> no acceptable INTEGRITY_ALGORITHM found > 16:39 14[CFG] <1> received proposals: > IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536 > 16:39 14[CFG] <1> configured proposals: > IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > 16:39 14[IKE] <1> no proposal found > > > I have some questions and I would be really grateful if any of them > answered. What is exact method of calculating "prio" for connections. > in the log above, prio is 5 for both matches. > In other words, what is the priority of the configs? Which one has > higher prio? which one has lower? > Is there any solution for my test scenario? > > Thank you so much > Ali _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
